Sojobo
Sojobo copied to clipboard
enkomio
A binary analysis framework
Sojobo - A binary analysis framework
Sojobo is an emulator for the B2R2 framework. It was created to easier the analysis of potentially malicious files. It is totally developed in .NET so you don't need to install or compile any other external libraries (the project is self contained).
With Sojobo you can:
- Emulate a (32 bit) PE binary
- Inspect the memory of the emulated process
- Read the process state
- Display a disassembly of the executed code
- Emulate functions in a managed language (C# || F#)
Tools using Sojobo
- ADVDeobfuscator
ADV Deobfuscator - A string deobfuscator for ADVObfuscator
ADVDeobfuscator is tool based on the Sojobo binary analysis framework that analyzes a binary obfuscated with ADBObfuscator and decodes the identified strings.
Download
A compiled version is available to Community sponsored users. If you are a sponsored user you can download the binary from: https://github.com/enkomio-sponsor/compiled_binaries
Documentation
The image below shows an execution of ADVDeobfuscator on the Conti Ransomware.
The image below shows an execution of ADVDeobfuscator on the Taurus Stealer (see also Predator the thief).
I wrote a blog post on how to deobfuscate the Team 9 binaries.
Using Sojobo
Sojobo is intended to be used as a framework to create program analysis utilities. However, various sample utilities were created in order to show how to use the framework in a profitable way.
Download
Documentation
The project is fully documented in F# (cit.) :) Joking apart, I plan to write some blog posts related to how to use Sojobo. Below a list of the current posts:
You can also read the API documentation.
Compile
In order to compile Sojobo you need .NET Core to be installed and Visual Studio. To compile just run build.bat.
License
Copyright (C) 2019 Antonio Parata - @s4tan
Sojobo is licensed under the Creative Commons.
enkomio